The Department of Justice (DOJ) has
made clear that it interprets the ADA as applicable to websites.
Is your web site compliant with the Americans with
Disabilities Act? For the past 20 years, our bank web
site audits have covered the ADA guidelines. Help reduce
any liability, please contact me for more information at
- NIST updates Cybersecurity Framework, seeks comment - The National
Institute of Standards and Technology (NIST) issued a draft update
on Tuesday to its Framework for Improving Critical Infrastructure
Cybersecurity, aka the Cybersecurity Framework, aimed at forging
stronger cybersecurity measures.
- How much cyberinsurance is enough? - How a top security manager
feels about cyberinsurance often may have a lot to do with the type
of company he or she works for.
NSA to share raw intercepted data with other intel agencies - The
National Security Agency (NSA) was granted expanded powers to
exchange information gathered in its global surveillance operations.
The intelligence organization will now be allowed to share raw data
with the federal government's 16 other intelligence agencies,
according to a report on Thursday in the New York Times.
FBI withdrew national security letter after Cloudflare lawsuit -
Cloudflare, served with a national security letter at the beginning
of 2013, managed to get the FBI to withdraw its request but has been
under a gag order preventing it from speaking about the matter
Giuliani will form Trump cybersecurity team - Former New York City
Mayor Rudy Giuliani will form a cybersecurity team for
President-elect Donald Trump, the Trump transition team said
Missouri bill limits warrantless stingray use - Rep. Keith Frederick
(R-Mo.) introduced state legislation that would prohibit warrantless
stingray use in the state except in emergency situations.
GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug
- GoDaddy was obliged to revoke thousands of SSL certificates on
Tuesday as the result of an unspecified software bug.
Attorney files civil litigation against Chicago for use of stingrays
without warrant - An attorney has filed a civil lawsuit against the
City of Chicago and various members of the Chicago Police Department
(CPD), claiming that their warrantless use of stingray devices on
individuals attending a 2015 public protest was a violation of their
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Crims shut off Ukraine power in wide-ranging anniversary hacks -
Phishing, denial of service, and remote exploitation part of hacking
banquet - Hackers of unknown origin cut power supplies in Ukraine
for a second time in 12 months as part of wide-ranging attacks that
hit the country in December.
Amazon customers targeted in phishing scam - Sophos researchers
pulled the covers off a phishing scam hitting Amazon customers who
are looking for deals on electronics that are too good to be true.
Giuliani's website goes down, riddled with security flaws - Just
hours after Donald Trump's transition team said former New York
Mayor Rudy Giuliani would advise the incoming president on
cybersecurity issues and build the administrations cybersecurity
team, Giuliani Security's website went down.
Cellebrite loses 900GB of customer data in breach of old server -
Cellebrite, which rose to fame in 2016 when the FBI allegedly
approached it to crack open the iPhone 5c of San Bernardino shooter
Syed Farook, has suffered a 900GB data breach.
Cyberattack burns out marijuana tech company's servers - For once,
marijuana enthusiasts have actual reason to feel paranoid.
3,600 patients affected by breach at the Children's Hospital Los
Angeles - In mid-December a laptop belonging to a doctor working at
the Children's Hospital Los Angeles and the Children's Hospital Los
Angeles Medical Group was stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Management Oversight -
Principle 5: Banks should use transaction authentication methods
that promote non-repudiation and establish accountability for
Non-repudiation involves creating proof of the origin or
delivery of electronic information to protect the sender against
false denial by the recipient that the data has been received, or to
protect the recipient against false denial by the sender that the
data has been sent. Risk of transaction repudiation is already an
issue with conventional transactions such as credit cards or
securities transactions. However, e-banking heightens this risk
because of the difficulties of positively authenticating the
identities and authority of parties initiating transactions, the
potential for altering or hijacking electronic transactions, and the
potential for e-banking users to claim that transactions were
To address these heightened concerns, banks need to make
reasonable efforts, commensurate with the materiality and type of
the e-banking transaction, to ensure that:
1) E-banking systems are designed to reduce the likelihood that
authorized users will initiate unintended transactions and that
customers fully understand the risks associated with any
transactions they initiate.
2) All parties to the transaction are positively authenticated
and control is maintained over the authenticated channel.
3) Financial transaction data are protected from alteration and
any alteration is detectable.
Banking organizations have begun to employ various techniques that
help establish non-repudiation and ensure confidentiality and
integrity of e-banking transactions, such as digital certificates
using public key infrastructure (PKI). A bank may issue a digital
certificate to a customer or counterparty to allow for their unique
identification/authentication and reduce the risk of transaction
repudiation. Although in some countries customers' rights to
disclaim transactions is provided in specific legal provisions,
legislation has been passed in certain national jurisdictions making
digital signatures legally enforceable. Wider global legal
acceptance of such techniques is likely as technology continues to
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
Encryption is used to secure communications and data storage,
particularly authentication credentials and the transmission of
sensitive information. It can be used throughout a technological
environment, including the operating systems, middleware,
applications, file systems, and communications protocols.
Encryption is used both as a prevention and detection control. As a
prevention control, encryption acts to protect data from disclosure
to unauthorized parties. As a detective control, encryption is used
to allow discovery of unauthorized changes to data and to assign
responsibility for data among authorized parties. When prevention
and detection are joined, encryption is a key control in ensuring
confidentiality, data integrity, and accountability.
Properly used, encryption can strengthen the security of an
institution's systems. Encryption also has the potential, however,
to weaken other security aspects. For instance, encrypted data
drastically lessens the effectiveness of any security mechanism that
relies on inspections of the data, such as anti - virus scanning and
intrusion detection systems. When encrypted communications are used,
networks may have to be reconfigured to allow for adequate detection
of malicious code and system intrusions.
Although necessary, encryption carries the risk of making data
unavailable should anything go wrong with data handling, key
management, or the actual encryption. The products used and
administrative controls should contain robust and effective controls
to ensure reliability.
Encryption can impose significant overhead on networks and
computing devices. A loss of encryption keys or other failures in
the encryption process can deny the institution access to the
Financial institutions should employ an encryption strength
sufficient to protect information from disclosure until such time as
the information's disclosure poses no material threat. For instance,
authenticators should be encrypted at a strength sufficient to allow
the institution time to detect and react to an authenticator theft
before the attacker can decrypt the stolen authenticators.
Decisions regarding what data to encrypt and at what points to
encrypt the data are typically based on the risk of disclosure and
the costs and risks of encryption. Generally speaking,
authenticators are always encrypted whether on public networks or on
the financial institution's network. Sensitive information is also
encrypted when passing over a public network, and also may be
encrypted within the institution.
Encryption cannot guarantee data security. Even if encryption is
properly implemented, for example, a security breach at one of the
endpoints of the communication can be used to steal the data or
allow an intruder to masquerade as a legitimate system user.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
9.4 Operational Assurance
Design and implementation assurance addresses the quality of
security features built into systems. Operational assurance
addresses whether the system's technical features are being bypassed
or have vulnerabilities and whether required procedures are being
followed. It does not address changes in the system's security
requirements, which could be caused by changes to the system and its
operating or threat environment.
Security tends to degrade during the operational phase of the
system life cycle. System users and operators discover new ways to
intentionally or unintentionally bypass or subvert security
(especially if there is a perception that bypassing security
improves functionality). Users and administrators often think that
nothing will happen to them or their system, so they shortcut
security. Strict adherence to procedures is rare, and they become
outdated, and errors in the system's administration commonly occur.
Organizations use two basic methods to maintain operational
! A system audit -- a one-time or periodic event to evaluate
security. An audit can vary widely in scope: it may examine an
entire system for the purpose of reaccreditation or it may
investigate a single anomalous event.
! Monitoring -- an ongoing activity that checks on the system, its
users, or the environment.
In general, the more "real-time" an activity is, the more it falls
into the category of monitoring. This distinction can create some
unnecessary linguistic hairsplitting, especially concerning
system-generated audit trails. Daily or weekly reviewing of the
audit trail (for unauthorized access attempts) is generally
monitoring, while an historical review of several months' worth of
the trail (tracing the actions of a specific user) is probably an